1 files changed, 13 insertions, 2 deletions

diff --git a/write.go b/write.go
index 24fdc1a..7a71465 100644
--- a/write.go
+++ b/write.go
@@ -103,6 +103,9 @@ func (server *Server) handleAddInternal(state *State, r *message.AddRequest) (in
 		}
 	}
 
+	if _, ok := entry[ATTR_OBJECTCLASS]; !ok {
+		entry[ATTR_OBJECTCLASS] = []string{"top"}
+	}
 	entry[ATTR_CREATORSNAME] = []string{state.login.user}
 	entry[ATTR_CREATETIMESTAMP] = []string{genTimestamp()}
 	entry[ATTR_ENTRYUUID] = []string{genUuid()}
@@ -263,7 +266,8 @@ func (server *Server) handleModifyInternal(state *State, r *message.ModifyReques
 	}
 
 	// First permission check with no particular attributes
-	if !server.config.Acl.Check(&state.login, "modify", dn, []string{}) {
+	if !server.config.Acl.Check(&state.login, "modify", dn, []string{}) &&
+		!server.config.Acl.Check(&state.login, "modifyAdd", dn, []string{}) {
 		return ldap.LDAPResultInsufficientAccessRights, nil
 	}
 
@@ -316,7 +320,9 @@ func (server *Server) handleModifyInternal(state *State, r *message.ModifyReques
 		}
 
 		// Check for permission to modify this attribute
-		if !server.config.Acl.Check(&state.login, "modify", dn, []string{attr}) {
+		if !(server.config.Acl.Check(&state.login, "modify", dn, []string{attr}) ||
+			(change.Operation() == ldap.ModifyRequestChangeOperationAdd &&
+				server.config.Acl.Check(&state.login, "modifyAdd", dn, []string{attr}))) {
 			return ldap.LDAPResultInsufficientAccessRights, nil
 		}
 
@@ -415,6 +421,11 @@ func (server *Server) handleModifyInternal(state *State, r *message.ModifyReques
 		addMembers[i] = addMem
 	}
 
+	if v, ok := newEntry[ATTR_OBJECTCLASS]; ok && len(v) == 0 {
+		return ldap.LDAPResultInsufficientAccessRights, fmt.Errorf(
+			"Cannot remove all objectclass values")
+	}
+
 	// Now, the modification has been processed and accepted and we want to commit it
 	newEntry[ATTR_MODIFIERSNAME] = []string{state.login.user}
 	newEntry[ATTR_MODIFYTIMESTAMP] = []string{genTimestamp()}